Executive Summary
Toustone, a leading Australian data analytics company, recognised the need for a formalised approach to information security as it scaled. While strong on technical controls, Toustone lacked a structured governance framework to support its growth and meet rising client expectations. By partnering with Morrisec, Toustone successfully achieved ISO/IEC 27001 certification in just nine months—building a robust Information Security Management System (ISMS) from the ground up.
Morrisec’s approach stood apart from traditional consulting by embedding itself as a true partner in Toustone’s journey. From initial risk assessment to final audit support, every policy, process, and control was tailored to Toustone’s specific business context and threat landscape. Post-certification, Morrisec continues to provide hands-on support—managing steering committees, risk registers, awareness training, and board reporting—ensuring Toustone not only maintains certification, but continues to mature its security posture.
Background
Toustone, a leading Australian data analytics company, recognising the need to strengthen its information security practices, embarked on a strategic initiative to enhance its security posture by pursuing ISO/IEC 27001 certification, a globally recognised standard for information security management.
We asked Toustone what the drivers were for getting ISO/IEC 27001:2022 certified.
We had been toying with it for several years, but as the global incidents began clocking up, it became more pressing, and we recognised we needed the right partner to see us through to certification. We felt we already did information security well from a technical point of view, and when we were small, the lack of an information framework to support our measures was manageable. But as we grew, this became harder. The growth of Toustone also coincided with the rise in cybercrime, so the timing was perfect. Our clients needed more than our say-so that we did security well, and as it turned out, Morrisec was able to support us to do it better, as well as help us to develop the robust policies and framework needed to support certification.
When starting their journey towards ISO/IEC 27001 certification, Toustone had only basic security policies in place, which needed to be significantly developed to meet the stringent requirements of ISO/IEC 27001. With the assistance of Morrisec, Toustone undertook a comprehensive program of work to build its Information Security Management System (ISMS) and achieve certification within nine months.
We asked Toustone why they chose Morrisec as their security partner.
The price was competitive, yet it also offered so much more, such as dedication and partnership, rather than just a project and a schedule of tasks to be completed. Recognising the importance of ongoing support after certification upfront and incorporating it into the proposal meant we had a plan to achieve certification and ensure longevity and that the effort wouldn’t be in vain.
Program of Work
The program of work was divided into five stages, each focusing on different aspects of the ISMS development and implementation process. As Morrisec’s Co-CEO, Dr Sarah Morrison, writes:
By breaking the implementation process into five distinct stages, we can ensure an organisation is embedding the policies and processes being developed as part of the program of work and not just ticking a box. What is the point of implementing 27001, if not to improve your organisation’s information security posture?
Stage 1: Risk Management
Morrisec began with a thorough organisational risk assessment to identify potential threats and vulnerabilities across the business. From this assessment, a risk register was developed along with the development of a Statement of Applicability (SOA), a requirement for certification based on the identified risks. A comprehensive information security risk framework was also established to effectively manage identified risks. Additionally, an asset register was created, and Morrisec commenced risk assessments across critical cloud providers being leveraged by Toustone as part of their business operations.
Stages 2 & 3: Organisation, People & Technology Controls
The second and third stages of Toustone’s journey were to build out their information security framework, with the development of ISO/IEC 27001 required policies and procedures. As each policy was finalised and approved, Morrisec worked with Toustone to embed these policies and procedures into the organisation. For example, a security awareness calendar was created, and content was disseminated to educate Toustone staff on ISO/IEC 27001 requirements, general security awareness, and cyber-hygiene. The Morrisec team undertook third-party risk assessments across documented information assets, and any identified risks were captured in the risk register, with treatment plans documented. An Information Security Steering Committee was also established, and critical members of Toustone were appointed to oversee the work. Katie, Toustone’s Privacy and Contracts Manager, describes her experience working with Morrisec during these project stages.
One of the things we were impressed with regarding Morrisec’s work is their availability. Morrisec was always there to back us up, no matter how ridiculous the question might be. Morrisec was one of the team.
Stages 4 & 5: ISMS Charter & Audits
Stages four and five were committed to auditing and ensuring Toustone was ready for their ISO/IEC 27001 internal and external audits. When the internal audit was due to commence, an independent auditor from Morrisec conducted and undertook the work as part of the service in preparation for the external audit. Throughout the external audit, Morrisec was the primary contact for the auditors, working as Toustone’s CISO and managing all aspects of the stage 1 and 2 audits. Morrisec and Toustone’s combined efforts successfully achieved ISO/IEC 27001 certification.
Morrisec’s preparation for the audit was amazing. We went into what could have been very stressful, reassured, and confident, as our consultant was very prepared and made sure we knew what to expect and were also prepared.
Post Certification Support
Since achieving certification, Morrisec has continued supporting Toustone in maintaining and enhancing its information security practices through various ongoing activities. This includes continually assessing and managing suppliers and third-party relationships, along with providing general security advice and guidance. Morrisec’s ongoing security awareness training ensures continual growth of Toustone’s cyber-aware culture and helps staff maintain vigilance against current and emerging threats. Incident response tabletop exercises are also conducted to ensure incident preparedness and timely response.
Additionally, Morrisec is responsible for the critical ongoing tasks required for Toustone to maintain its certification and ensure continual improvement. These include running monthly information security steering committee meetings and managing risk and asset registers to ensure they remain accurate and up to date. Morrisec also prepares and presents a six-monthly board report, including a detailed threat landscape analysis to ensure Toustone is aware of and can act against growing threats within its industry and geographical location.
Through these efforts, Morrisec has become an integral partner and part of Toustone’s team, providing continuous support and guidance. As Katie from Toustone reflects,
It is a big push to get ISO certification in place, but maintaining it is an even harder task. Other priorities and business issues arise, and we no longer have the bandwidth to dedicate to 27001. Having Morrisec onboard means we know we have it covered. Morrisec keeps us on track and makes the maintenance achievable.
The collaboration between Toustone and Morrisec has resulted in a robust ISMS that not only achieved ISO/IEC 27001 certification but continues to evolve and improve. The structured approach and comprehensive support from Morrisec have ensured that Toustone maintains high information security standards, protecting its data and enhancing its overall security posture.
What surprised us in our continued relationship with Morrisec is our consultant’s willingness to give their time to adapt to our evolving needs and the flexibility our consultant and Morrisec’s offer.
Toustone’s relationship with Morrisec is very strong. Morrisec is part of the team. If you have any questions or issues, Morrisec is on hand to offer expert advice and practical support. We trust Morrisec’s expertise and knowledge and know you have us covered for any cyber situation we face.
Post-certification, Morrisec remains an integral part of Toustone’s team.
0 Comments